In using Apache 'Prefork' MPM mode, Policy Server output HandShake Errors.

book

Article ID: 6353

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When accessing by multi threads per second, Policy Server output HandShake Errors as below.

 

[4844/4968][Thu Apr 06 2017 17:52:26][CServer.cpp:1974][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3152 [4844/4968][Thu Apr 06 2017 17:52:26][CServer.cpp:1981][ERROR][sm-Tunnel-00030] Handshake error: Failed to receive client hello. Socket error 0 [4844/4968][Thu Apr 06 2017 17:52:26][CServer.cpp:2147][ERROR][sm-Server-01070] Failed handshake with 10.131.xxx.xxx:57654

Cause

This issue is related to Apache 'Prefork' mode.

In 'Prefork' mode, a single control process is responsible for launching child processes which listen for connections and serve them when they arrive.

Apache httpd always tries to maintain several spare or idle server processes, which stand ready to serve incoming requests. In this way, clients do not need to wait for a new child processes to be forked before their requests can be served.As this working, several idle processes are likely to be existing.

By this reason, Policy Server try to close idle sockets and send RST packets to WebAgent, this occur connection issue between WebAgent and Policy Server.

Environment

Release:
Component: SMPLC

Resolution

Either of following resolutions.


1. Work as 'Worker' MPM mode.

A single control process (the parent) is responsible for launching child processes. Each child process creates a fixed number of server threads as specified in the ThreadsPerChild directive, as well as a listener thread which listens for connections and passes them to a server thread for processing when they arrive.Apache HTTP Server always tries to maintain a pool of spare or idle server threads, which stand ready to serve incoming requests. In this way, clients do not need to wait for a new threads or processes to be created before their requests can be served. 

2. Increase 'idletimeout' value (default 10 minutes) at Policy Server side in smconsole.

 

Additional Information

 

Very frequent handshake errors:

https://knowledge.broadcom.com/external/article/52216/very-frequent-handshake-errors.html